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1. HIERARCHICAL PL^^ING AND MONITORING WITH CONCEPTUAL LEVELS 


This work deals with the use of knowledge-base architecture and plan- 
ning control mechanisms to perform an intelligent monitoring task in the 
flight domain. Progress made this past year centers ow the final refine- 
ment of the conceptual levels planning approach and the implementation of 
this design. At this time the implementation is nearly completed. The 
route level, the trajectory level, and parts of the aerodynamics level can 
now be demonstrated. 

The conceptual levels approach proposes an alternate method of 
obtaining global viewpoint: model the domain at different degree of global 
viewpoint. A complex real-world domain such as the flight domain requires 
global viewpoint during planning. Let us define the primitive ground- 
level operators to be the physical control actions the fight crew perform 
during flight. Suppose we record the flight crew during flight with a 
video recorder. A physical action is what the flight crew does each time 
a control element is changed. Since the flight domain is a dynamic domain 
and some of these control elements need to be adjusted frequently one can 
see that the state space is quite large. To plan a flight at the ground- 
level, worrying about the control positions second by second, is clearly 
not fesible. 

In addition to being a complex domain, the flight domain places addi- 
tional demand on the planner because the pla^i must conform to domain con- 
straints. Some constraints are global while others are more local. For 
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example, to have a safe flight, the aircraft should not run out of fuel, 
should fly a navigable coursrf such that it does not get lost, should not 
fly into a mountain nor through icing condition nor turbulence, should not 
fly so fast that the airframe is damaged nor so slow that the aircraft 
stalls. The planner must generate a plan that achieves the goal while 
satisfying these constraints. 

It is interesting to note that these constraints have different 
scope. Scope means the extent of coverage over, the ground-level plan, 
roughly analogous to global viewpoint. A constraint such as "the aircraft 
should not run out of fuel" has very large scope since it affect the 
structure of the entire plan. A constraint such as "do not stall the air- 
craft" has very small scope since it affects very small portion of the 
ground-level plan. A constraint such as "do not fly in turbulence" has a 
scope somewhere in between. The reader may also notice that these con- 
straints are not directly related to each other. For example, the "do not 
run out of fuel" constraint, while operating at a larger scope, is not a 
more general version of the "do not fly in turbulence" constraint. 

The immediate effect of the conceptual levels approach is to break 
the complex domain into simpler homogeneous minldomalns. By specifying 
the minidomains along different facets of the domain, the domain complex- 
ity is reduced to several nearly independent less complex domains which 
are causally complete by themselves. This reduction of complexity is 
similar to the problem-solving paradigm that if a task is too difficult, 

divide it into easier subtasks and a,olve ^the -subtasks. The division here 
is to partition the domain semantics along the aspects of the domain, thus 
reducing the search space inside a subdivision. Instead of complexity 


reduction through task decomposition, the complexity reduction is through 
domain knowledge partitioning. 

While domain complexity reduction i<?j desirable, the flight planner 
requires global viewpoint. Global viewpoint can be obtained through vert- 
ical domain knowledge decomposition. This is done by constructing mini- 
domains of different scope, or in other words, model the domain at dif- 
ferent degree of global viewpoint. It la vertical because the mlnidomaln 
of the largest scope makes decisions which guide planning at the mini- 
domain of lesser scope. 

Domain knowledge decomposition achieves a reduction in complexity, 
but with the gain also comes the drawback of limited viewpoint. The cause 
of this limited viewpoint is the partitioning of the domain knowledge. 
The conceptual levels architecture achieves both broad viewpoint and nar- 
row, focused viewpoint because of the maltlple conceptual levels. The top 
level is constructed to support the broad viewpoint and the bottom level 
is constructed to support the tight detailed viewpoint. The problem is 
that since not one conceptual level can cover both the broad and tight 
viewpoint, the planner cannot see the total picture at a given time. Thus 
the planner eannot plan with absolute accuracy at the high level, nor can 
it appreciate its role at the low level. 

Since the levels hierarchy is designed to provide global viewpoint 
for the low-level planners, the inability to look ahead at low level is 
not a problem. However, the high-level planner, not able to plan with 
absolute accuracy, is a problem. Planning proceeds top-down; the r'oute 
planner plans to satisfy global constraints, then the trajectory planner 
plans to satisfy constraints of Intermediate scope, and finally the 
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aerodynamica planner flies the aircraft and tells the subsystems level 
what is necessary to fly. Tije difficulty is that since the route planner 
is buffered from the engine system and the actual flying, it does not know 
for certain what are the aircraft range and ceiling. And yet, if the 
route planner consider the trajectory, the aerodynamics control settings, 
and the subsystem control settings to determine the exact range and cell- 
ing values while considering traversing an airway segment, the route 
planner would be bogged down in detail which the architecture is designed 
specifically to avoid. 

This is an insoluable catch-22 problem inherent to this architecture. 
One must choose between risking the combinatorial explosion to ensure an 
accurate world model at the high level or risking a bad plan at the high 
level due to an inaccurate world model. The least Of two evils appears to 
be the second choice: plan at high level with a possibly inaccurate world 
model. This approach introduces two new wrinkles to top-down planning: 
replanning may be necessary and bottom-up verification of the world model 
is required. 

Planning is necessarily top-down in this architecture because the 
low-level planner cannot make global decisions and yet it cannot plan 
without the global decisions since these global decisions Influence its 
planning. Planning decisions are made at high level based on a possibly 
inaccurate world models and yet this high-level world modsl can not be 
verified until the low-level plan is set. When the low-level plan is 

done, it is examined to verify that it agrees with the model of the level 
above, and agian with the levels above. The plan is not finished until 
all the models agree. 
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Model updating is also necessary when the external world changes 

* * 

unexpectedly. For example, suppose the flap is stuck after takeoff. The 
trajectory level and the route level should be aware of this and check 
their plans to make sure they are still good. Similarly, a failed engine 
or an unexpectedly stiff headwind requires model updating and plan check- 
ing. The model updating is initiated at the level where the change 
occurred. For example, a stuck flap is initiated at the aerodynamics 
level, and a fuel leak is initiated at the subsystems level. The extent 
of model updating depends on the situation and is controlled by inter- 
level planning control. 

The conceptual levels planner is implemented in Franz LISP. More 
specifically, it is implemented in rule system and frame system. All 
static knowledge structures are implemented in a locally developed frame 
system, written in Franz LISP. All active knowledge structures are imple- 
mented in a rules system, more specifically, the 0PS5 rules system written 
in Franz LISP. Both knowledge structure systems are contained in the same 
lisp environment running on a VAX 11/780 computer. In addition, a PDP- 
11/45 computer and a Ramtek color graphics system are used to display the 
aircraft environment. 

The rules contain the meta-planning knowledge. This meta-planning 
knowledge c( ntain both the intra-level planning control knowledge and the 
inter-level planning control knowledge. Presently, approximately 100 
rules are implemented. These rules control the planning at the route 
level, the trajectory level, and the partially implemented aerodynamics 
level. As the levels are further developed and refined, there may be 
approximately 200 rules. 
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The frame system is used to represent domain knowledge and the plan 
structure. In fact, since there are four levels, the entire plan struc- 
ture is made up of four substructures. The domain knowledge represented 
in a frame consists of knowledge such as the airports, the vortao 
transmitters, the airway segments between the vortao transmitters, the 
attainable cruise trajectories, the attainable climb trajectories, the 
attainable descent trajectories, the cruise phase, the climb phase, the 
descent phase, the climb force vector equilibrium system, the cruise force 
vector equilibrium system, etc. The plan operators are represented in 
frame structure, and naturally the resulting plan is similarly 
represented. 

The planning system is presently Implemented down to the aerodynamics 
level. The planning process is displayed both on a terminal and on the 
Ramtek graphics monitor. The aerodynamics level will be completed in the 
near-term future. More detailed discussion of the theory and the imple- 
mentation is available shortly in a technical report. 
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2. surnmn-Dimm. .MECMigM MiiomizATioN 

2 > 1 » .Sfl.fliaar.lo. 

Consider the following scenario. An expert in a specific mechanism 
domain is given a diagramatic representation of the physical structure 
of an instance of a specific mechanism. Fut«thermore, let us assume that 
he is told the name of the meohansim. This name is meaningful to him - 
he knows what the abstract function of the mechanism instance must be. 
What we require of this expert is an explanation of the instance 
behavior of the instance in question. This explanation is a product of 
the application of the expert's mechanism understanding process. 

.Meshaalsn .Under s.tandlng 

We are interested in the underlying concepts and principles of this 
mechanism understanding process. 

There may be several instances of a specific mechanism - for exam- 
ple, there are several instances of the amplifier which use the transis- 
tor as the active element, and several instances of the amplifier which 
use the operational amplifier as the active element. As a further exam- 
ple, there are several instances of the thermostat - one incorporating a 
bimetallic strip as the temperature-sensitive element, and another 
incorporating a gas bellow as the temperature-sensitive element. Thus 
the physical structures of the various instances in question may appear 
quite different. However, the abstract function of these instances 
remains the same. The instance behaviors, which are generated 
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analytically from the physical atruotures, will accordingly be unique to 

* 

the instance in question. However^ the expert seems to be able to uope 
- he can rationalize an instance of a mechanism which appears familiar, 
but which he has never seen before. Accordingly, the generation of an 
explanation of the instance behavior must begin from the known abstract 
function of the mechanism instance in question. 

Generally speaking, the understanding process is a forward qualita- 
tive reasoning or qualitative simulation. The explanation of the 
instance behavior of the instance in question is an artifact of the 
expert's analytical understanding process. This understanding process 
may be based on functional component state models as the qualitative 
knowledge primitives [De Kleer], or it may be based on functional pro- 
cess models as the qualitative knowledge primitives [Forbus]. Some 
input signal is introduced as the input of the instance or situation. 
This input signal is then propagated through the qualitative constraints 
imposed by the primitive models, and the qualitative constraints imposed 
by their connection scheme into an instance or situation. The imprecise 
resolution of this analysis is introduced because of the approximate 
nature of qualitative simulation. Thus, qualitative simulation leads to 
many possible interpretations of instance behavior, each with a unique 
set of key assumptions chosen at decision points encountered during the 
course of that simulation. We are identifying such ambiguity classes. 

We believe that a qualitative simulation process of some kind is 
necessary for understanding how an instance of a mechanism can achieve 
the characteristic function of that mechanism. 


9 


This qualitative sinmUiion step should not be applied without some 
careful > knowledge-based focusing and simplification of the instance in 
question. Domain knowledge of the abstract mechanism function and 
domain knowledge of physical substructures encountered in the past can 
and should be utilized to properly frame the mechanism instance for 
understanding through qualitative simulation. 

^.5. .Prablea 

The understanding process begins with the expert knowledge of the 
abstract function of the mechanism. The expert knows what the instance 
must be designed to achieve. This expert knowledge serves as global 
control to direct the analytical understanding process. It is used to 
direct a decomposition of the understanding problem into many separate, 
alraost-independent, stand-alone aubproblems. In doing so, this expert 
knowledge is used to constrain the understanding analysis by establish- 
ing all of the environments of complete definitive mechanism operation, 
one for each subproblem. An environment is identified with a functional 
goal that the instance behavior must achieve. The composition of all of 
the functional goals of all of these almost- independent subproblems is 
the overall mechanism function. An environment is specified by adding 
the knowledge of what input signal is characteristic of the sr-jfunction 
goal, and what output signal is expected to be achieved as an effect of 
the constraints imposed by the components and connection scheme of the 
instance in question. 
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Take as an example, the nand oiroult. The abstract function of the 

nand circuit is a multi-state truth table description using the language 

of logical 'O’ and '1'. Knowing that the instance in question is a nand 

circuit, the appropriate chunk of knowledge comes to the fore. ’ The 

expert immediately makes many knowledge based assumptions. Among those 

assumptions, he decomposes the understanding of the instance into four 

' Iraost-independent subproblem environments - one for each situation 

associated with a truth table entry. The composition of the resulting 

explanations of all of these understanding subproblems is a complete 

explanation of the overall nand circuit function. Associated with each 

environment is the function goal of that environment - achieving the 

appropriate logic signal vector at the output terminals, when the 

characteristic input logic signal vector is introduced at the input ter- 

» 

mlnalr , expert thus decomposes his analytic understanding problem 

into four separate perspectives (a perspective is a physical structure 
in an environment with a specific function goal). These four perspec- 
tives can be reduced to three if symmetry of nand circuit input termi- 
nals is taken Into account - the (0 1 -> 1) situation and the (1 0 -> 1) 
situation are symmetrical. 

Problem focus is achieved by using the abstract function of the 
instance in question to direct the decomposition of the understanding 
problem. A perspective allows us to focus on the subproblem at hand to 
the exclusion of all other subproblems. For each subproblem, it identi- 
fies the specific environment in which that instance must operate and 
the specific function goal or subfunotion that that instance behavior 
must achieve. A perspective also focuses the subproblem at hand by 
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telling us what irrelevant details to ignore and discard in the analyti- 
cal understanding process for that subproblem. For each subproblem of 
the nand circuit, we are no longer concerned with the specific node vol- 
tage values. We instead spealc in a language of logical ’O' and '1». 
The perspective also dictates the type of qualitative analysis which 
should be used to analyze each particular subproblem. We know not to 
perform small signal perturbation analysis to determine the relevant 
instance behavior. We are no longer interested in the state transition 
history of the multi-state components. We instead know to perform 
steady-state dc analysis for each nand circuit perspective. 

2.i. Problem ,Slmpllf.isaLtlO,n, 

The analytical understanding process is controlled and organized in 
a top-down manner into perspectives as directed by the mechanism func- 
tion. The understanding problem is thus focused through a decomposition 
process. A process to simplify the subproblem at hand is the recogni- 
tion and consequent clustering of physical , substructures into single 
behavioral entities. This process works in a bottora-up manner since it 
begins from the physical structure of the Instance in question. The 
expert often distinguishes and circles substructures on the diagramati- 
cal represenation of the instance in question. He recognizes these sub- 
structures as ones that he has seen before. This recognition simplifies 
the physical structure of the instance in question by a physical 
abstraction of detail. Each recognized substructure is composed in a 
sense and replaced by a single macro-component with unit function. The 
result is a simpler physical structure with fewer constituent components 
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in a simpler connective topology. 

Take as an example, the two-stage do amplifier. The abstract func- 
tion of the two-stage dc amplifier is an equational description using 
the language of 'Gain' and ’Offset'. An amplifier expert would immedi- 
ately recognize that the instance contains two physical substructures - 
amplifier stages - which each contain three components, and one physical 
substructure - voltage divider - which contains two components. As a 
result, the expert can generate another level of diagramatic representa- 
tion of the physical structure of the mechanism instance. This new 
representation level is the result of an abstraction of the initial 
diagrammatic representation of the physical structure of the mechanism 
instance. He composes these three physical substructures into three 
macro-components through a physical abstraction of detail. The result 
is a simpler physical structure of three constituent components in a 
simpler linear connective topology. Associated with each macrocomponent 
is its own abstract function description. Each amplifier stage has its 
own component parameter 'Gain'. Thus, there is an associated abstrac- 
tion of the parametric description of the new components in the new 
level of physical structure. The physical structure may be reduced even 
further, to two components, if the expert recognizes that the two 
amplifier stages can be composed into a single functional composite 
amplifier stage - a still more abstract level of physical stuoture. The 
gain parameters of the two amplifier stages are multiplied together to 
produce the mors abstract parameter gain of the composite amplifier 


stage. 
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Problem simplification is achieved ty using the knowledge gained 
from past experience to recognize and abstract familiar substructures 
enscounced in the mechanism instance in question. Each macrocomponent 
model is described or encoded using syntactically the same format as 
that used to describe primitive component models. In this way, a physi- 
cal structure composition hierarchy is produced that enables explanation 
at various levels of detail. The analysis is also focused by working 
with the more abstract parameters which describe the macro-component 
function rather than the more numerous, less abstract parameters which 
describe the functions of the substructure components. Physical 
abstraction focuses on the appropriate level of the parameter language 
to be used in the description of instance behavior. Unlike perspec- 
tives, the introduction of levels of detail summarizes and saves detail, 
which may be recalled for consideration rather than being totally dis- 


carded. 
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1- ilSim Jm-ii£££L MgiiANIfiM IXlB J)IA GNQSES SH J)EPENDENT 
£AlLU.fl£S 

3.. J.. Overview and Summary 

This final report summarizes the result of our research on the 
model -based diagnoses under many years of NASA support. We first 
briefly overview our approach to the mechanism diagnosis problems. 
In our diagnosis methodology, we decompose the diagnosis task into 
two subtasks: bypotheslzation and verification. In the hypothesiza- 
tion phase, a set of failure possibilities is heuristically postu- 
lated. Then in the verification phase, the expected behavior of each 
failure hypothesis, as predicted from reasoning with the deep-level 
mechardsm model, is matched against the symptoms actually observed. 
The main theoretical issues of our research lie in the development 
of a deep-level mechanism model (which we call the state-transition 
model, and the use of such a model for reasoning about the qualita- 
tive behavior of a faulty mechanism (a process which we call the 
predictive analysis) . Those theoretical issues are thoroughly dis- 
cussed in Pan's Ph.D. dissertation [1], iwhich also investigates two 
interesting aspects of hypothesis verification, namely, the use of 
qualitative symptom features, and the use of transient symptoms in 
verification. 

In this report, we focus our discussion on issues related to 
the hypothesization process which, though less theoretical in its 
nature, serves as an important link between the proposed diagnosis 
theory and its real-world applications. In the next section, we 
first use an idealized mechanism model (called the Production-Line 
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Bodel) to explain: (1) how traditional diagnosis approaches have 
been "made" easy, and (2) what the underlying assumptions being 
imposed on these approaches are. Then we discuss our heuristical 
approach for dealing with a non-ideal situation: the real-world ana- 
log mechanisms. A Flov-Cauaallty aodel is introduced to decompose 
the functionality of a mechanism into two levels: the Causal Level 
in which the diagnostic principles developed for PL-modeled mechan- 
isms can be "heuristically" applied (with exceptional cases), and 
the Flow Level in which special (expert) diagnostic knowledge for 
each type of flow systems has to be adopted. As the result of the 
discussions on diagnoses based on the PL-mechanisms, the limitations 
of a straightforward diagnostic approach can be better understood, 
and the analyses of its weakness forms the basis for the future 
development of a diagnosis strategy applicable to general analog 
mechanisms. 

At the end of this chapter, we propose a system organization 
for the future Intelligent diagnosis system constructed based on our 
theory . 

1.^. Generations sX. Failure Hypotheses 

Within the context of a time-complicated mechanism with 
dependent-failure possibilities, the generation of failure 
hypotheses is a task of postulating possibilities of the priaary 
failure based on the initial symptom-snapshot which triggers the 
detection of a failure. Our hypothesis generation is similar to 
traditional diagnosis problems in two v/ays: (1) the task is based on 
symptoms observed at one single snapshot, and (2) the goal is to 


assert a set of single-failure possibilities which oan potentially 
causes the observed symptoms. In view of our overall diagnosis 
approach, the verification process will refine the result of this 
failure hypothesization to (1) incorporate the use of time-elapsed 
symptoms for resolutions among the hypotheses, and (2) understand 
and thus explain dependent failures. 

A naive approach for generating failure hypotheses is to pro- 
pose all possible failures. However, by doing so, an enormous com- 
putational problem will be created in the verification process. A 
smarter approach will adopt some heuristioally-based rea/^oning pro- 
cess to select a set of most-likely failure possibilities among the 
space of all possible failures. 

A straightforward approach is to adopt the production-system 
paradigm [2] by which expert's rules for diagnoses are encoded and 
utilized to map the symptoms to possible failures. While not ques- 
tioning the effectiveness of the production-system approach in deal- 
ing .^•^ith a specific mechanism, such approach totally bypasses the 
well-formulated modeling knowledge which engineers develop to 
analyze the domain. An alternative approach will be to develop a 
functional model of the mechanism, and to use the model in deriving 
failure hypotheses from observed symptoms. In comparing these two 
approaches, the model -based approach is theoretically more interest- 
ing in that the methodology we develop in dealing with the modeling 
of mechanisms and the using of models can be applied on other 
mechanisms, while with the production-system approach each mechanism 
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has to be treated as a special case^. 

In this chapter > our focus Is on the model -based approach. We 
first discuss the hypothesization problem in an idealized mechanism 
modeled by the •’loopfree-productlon-line” model i which helps us 
understand the limitations of existing AI diagnosis works and sets 
the stage for the discussion of our approach in dealing with non- 
ideal situations. We then discuss the hypothesis generation problem 
in an analog mechanism with a proposed functional model, called the 
”flow-causality model”. 

Jkh& Loopfree-Productlon -Line Ilfial MftShanigas 

To understand how failure possibilities can be hypothesized 
from symptoms by reasoning with a functional model of the mechan- 
ism, we first study an ideal situation in which such tasks can be 
performed with a straightforward diagnostic logic. Assuming that 
we are dealing with an ideal mechanism in which interactions among 
sub-modules can be modeled in such a way that (1) propagations of 
effects (signals) among modules is always "unidirectional”, 
namely, whatever failure occurred beyond the output of a module 
will not affect the behavior of upstream modules, (2) a module 
will behave differently if its input is abnormal, and (3) there is 
no loop existing in propagations of effects among modules. For 
the purpose of easy reference, we will call such an idealized 


However, a diagnosis approach based on the production system para- 
digm has its advantage in that it can encode global diagnostic knowledge 
which is not direct rational izable from deep-level mechanism models. Ex- 
amples of such knowledge are special experiences (e.g. , engine vi- 
brates) , priori-probabilities, etc. 
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mechanism the loopfree-production-llne nodel (since a production 
line is usually loop-free, we call it a ''production-line” ( PL ) 
model for short) for its similarity to the station-to-station 
interactions in the production-line of a factory. As shown in 
figure 3.1(a), a typical production line has a sequence of pro- 
cessing stations (A,B,C,D in this example). Interactions between 
two processing stations are done by a conveyer belt which carries 
partial products from one station to another. If a failure occurs 
(say in station C, as shown in figure 3.1(b)), we will observe 
symptoms in station C (partial products piling up) and stations 
downstream to C (which is station D with no ”input” products), but 
never on its upstream stations A and B. 

In a mechanism describable by the loopfree-production-line 
model, the partially-ordered causalities are implicitly esta- 
blished among its modules, corresponding to the directions of sig- 
nal propagations. With the assumption that there is a way to 
determine the normal/abnormal status of an operational module^, 
the isolation of the faulty module can be achieved by backtracing 
along the causal paths of the mechanism. In the following para- 
graphs, we discuss four basic diagnosis principles, (namely, 
causal-backtracing, fault-identification, common-cause, implied- 
exoneration) , within hypothetical situations for their applica- 
tions. 


In WATSON'S task of isolating radio-receiver failures at the 
stage-level [3], the operational status of each stage is defined by the 
"normality" of stage-output signal. 
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Figure 3*1 A Loopfree- Production-Line (PL) Model and a Failure Example 
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As shown in figure 3.2(a), interaotiona among functional 

t 

module A, B, and C are suoh that A enables B and B enables C. 
Operational statuses of B and C are known to be abnormal while A 
is known to be normal. To isolate the possible failure in this 
example, we first reason that since C is enabled by B and B is 
abnormal, the the abnormality of C must be inherited from the 
abnormal B (by the "uni-directional" assumption), and thus C is 
exonerated (by the "single -failure" assumption). The above rea- 
soning steps to exonerate an abnormally-behaved module are called 
the Causal-Backtraoing principXeo With C exonerated, we infer 
that since B is enabled by A and A is normal, B's abnormality must 
be due to its own failure (by the "uni -directional" assumption). 
The failure of the PL mechanisB is thus postulated to be func- 
tional module B. We call such reasoning steps the Failure- 
Identification principle. At this point, applications of the two 
diagnosis principles illustrated are local in nature, namely, the 
related information they utilize always comes from direct neigh- 
bors of a module. We now discuss how non-local information can be 
incorporated in their deduction processes. 

Because of the limited availabilities of sensors, we may not 
be able to determine the operational status of each module. By 
the single-failure assumption, we can extend the causal- 
backtracing principle to achieve indirect failure associations. 
For example, in a PL mechanism as shown in figure 3.2(b), by 
applying the extended version of the backtracing principle, C and 
D are exonerated even if the status of C is unknown. Again, by 
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^.Causal Direction of 
•Effect Propogotlon 

Module Status 

A Normal 
X Abnormal 
? Unknown 



Figure 3.2 Examples to Illustrate Fault -Isolation Principles 
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the fault-identification principle, B is postulated to be the 
culprit. However, not in all cases can the isolation process 
localize one specific faulty module. In a PL mechanism with a 
similar causal structure but without the operational status of B, 
as shown in figure 3.2(0), a set of possible faulty modules, 
namely, B, C, and D, is postulated Instead. 

We now explore a more sophisticated diagnosis principle, 
called the CoMon-Cause principle, which takes the advantage of 
special causal -fanout structures existing in the PL-model of a 
mechanism. In a situation as shown in figure 3.2(d), the fact 
that abnormal On and abnormal Dm share the same cati«"'al '"upstream" 
module B imply that the failure is due to a common cause upstream, 
namely, B. In this case, by further applying the fault- 
identification principle on A and B, we postulate that B is the 
culprit even with no knowledge about the operational statuses of 
C1..,Cn-1 and DT...Dm-1. 

The diagncsii' principles developed so far emphasize the 
direct and indirect uses of module-abnormalities (symptoms) in 
postulating possible failures. We now discuss the Implied- 
Exoneration principle which excludes some functional modules from 
failure possibilities by reasoning with normal (or no-fault) meas- 
urements. To be able to apply the implied -exoneration principle, 
we introduce an "intentional design" assumption which states; "a 
functional module will nob operate normally unless all its 
enabling-preconditions are satisfied". This means, if a module 
fails, all modules causally-enabled by it will show symptoms if 
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sensor-moasureaents are available. Alsoi no module should have 

implioit redundancies built In^, Potential applications of the 
Implled-exoneratlon principle are illustrated by an example, as 
shown in figure 3»3* In the PL«raodeled mechanism with causal 
relationships as shown In figure 3.3, knowing that functional 
module F Is abnormal prompts the postulation of a failure set 
which includes A, B, C, D, G, and H by applying the fault- 
identification principle. However, knowing F is operating nor- 
mally causes us to assert, by the implied -exoneration principle, 
that A, B, and C must be operating normally even though no direct 
measurements are available, (D may be partially faulty, namely, it 
may have a normal output to E while fails in the output to G. ) 
Therefore, by applying the implied-exoneration principle, the 
fault-isolation process postulates a smaller possibility-set with 
D, G, and H being potential culprits. 


In reviewing Brown's WATSON approach for the troubleshooting 

of ra^io -receiver 3 [3]^, we find it is a simple case of our 
fault-identification process, namely, it is a straightforward 
application of the identification principle alone to a near-ideal 
mechanism: a radio-receiver with stage-decomposed modules. 


3 

In case of a real-world mechanism in which redundancies do exist, 
they should be made explicit in the causal description. The detail will 
be discussed within the context of flow-causality models. 

li 

The author must point out that WATSON 's reasoning is for the gen- 
erations of test-points, which implicitly assumes that the status of 
each functional module can be determined. Thus, our comment is not about 
the weakness of his approach, rather, is about the generality of his 
theory. 



.'if 
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lauOJiL JflQlation in a .AnaioK Hegtiafllan 

The study of failure isolation on the Ideal mechanism serves 
' » 

as the foundation for the understanding of failure isolation in a 
non-ideal real-world mechanism. Summarizing the results from pre- 
vious discussions, the four diagnostic principles are developed 
based on following assumptions made on an ideal PL mechanism: 

[a] Single-Failure Assumption — Only one failure can occur in a 
mechanism at a ti.me. 

[b] Uni -Directional Ass'‘mptlon — Propagation of causal effects 
among functional modules are ”unl-directional". Only one 
failure occurs at one time. 

[c] Status-Determinable Assumption — There exists a mapping by 
which the normal/abnormal operational status of each func- 
tional module can be determined if some sensory measurements 
are available. 

Applying these four diagnosis principles to non-ideal mechan- 
isias results in a heuristic (rather U:an exclusive) set of failure 
hypotheses in the sense that the actual falliu’e will be included 
in the possibility set most of the time — exceptions are due to 
violations of ideal assumptions on the PL mechanism. To layout a 
practical approach for failure isolations in a non-ideal real- 
world mechanism and to understand the limitation of such approach, 
it is most helpful to discuss our fault-isolation methodology by 
studying the conditions under which these ideal assumptions are 
violated in an analog mechanism. 
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The single-failupe assumption is consistent with the purpose 
of our hypothesization task, which is to postulate a set of 
primary- failure possibilities. With respect to the second assump- 
tion of uni -directional casual propagation, we rarely find any 
real-world mechanism which can satisfy this assumption without 
exceptions. Therefore, we propose a flow-causality model which 
organizes the functionality of an engineered mechanism into 
causally-related flow-groups. The intention is to provide a func- 
tional decomposition of the overall mechanism into modules of 
flow-subsystems with near-unidirectional inter-module interac- 
tions. Within a flow-group, variables are closely-associated in 
the sense that arw failure "almost” certainly will affect all 
variables in the same flow subsystem. Such property of close 
associations among variables also makes the condition favorable to 
apply the four diagnosis heuristics since the operational status 
of each functional module is likely to reflect on any given sensor 
within the flow subsystem. Interesting as the idea may sound, we 
have to stress at this point that there exists counter-examples in 
real-world mechanisms which will conditionally violate the basic 
assumptions of the PL model. Therefore, the effectiveness of 
applying the four diagnostic heuristics to a real-world mechanism 
depends on how often the ideal assumptions are violated — which, 
in author's opinion, is an engineering-oriented issue. For this 
reason, the author emphasizes the engineering aspect of our 
hypothesization methodology in terms of its usefulness, rather 
than its theoretical importance. 
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Our purpose of developing the flow-causality model of a 

mechanism is to create a functional description which is organi- 

» 

zationally similar to that of the Production-Line model in the 
hope that the isolation principles developed for the ideal 
mechanism can be similarly applied for the generation of fault 
hypotheses. 

Intuitively, the functionality of an engineered mechanism 
can be described as a set of causally-related subsystems which 
implements the Intention of its designer. For example, the 
mechanism of a simple jet-airplane can be functionally organized 
into following subsystems; the fuel subsystem, the engine sub- 
system, the oil subsystem, the electrical subsystem, and the 
hydraulic subsystem. Following the intention of airplane 
engineers, the causalities among the subsystems are, as shown in 
figure 3.4, such that the fuel subsystem drives the engine sub- 
system, and the engine subsystem in turns drives the oil subsys- 
tem, the electrical subsystem, and the hydraulic subsystems. 

In order to activate each subsystem, the designer arranges 
a set of components in such a way that some "products", or 
called "medium" can be forced to other causally-depended subsys- 
tems. With this view, we can abstractly characterize a func- 
tional subsystem as a "flow subsystem" which creates and 
transfers a particular type of medium to other subsystems, and 
the sensors in a subsystem serve to monitor the "potential -of- 
flow" or the "rate-of-flow" at various points of a flow 



I 

i 


i 

j 


Figure 3.4 Causal Dependencies among Subsystems of an Airplane Mechanism 
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subsystem. In some types of flow subsystems, the medium is 

stored (as in au. oil subsystem) rather than created (as in a 

electrical subsystem) , thus the "quantity -of -medium" (as the 

oil -quantity) becomes relevant. Some typical flow subsystems 

and their corresponding media are listed below; 

Types of Flow-Subsvatems Flow Media 


Oil Subsystem engine-oil 

Hydraulic Subsystem hydraulic-fluid 

Electrical Power Subsystem electricity 

Thermal -Transfer Subsystem heat 

Pneumatic Subsystem air 

An Interesting observation is that the flow-variables 
within a flow subsystem are closely-associated in the sense that 
there seldom is a case that symptoms of a failure show on some, 
but not all, of the flow variables. In contrast, variables 
belong to two causally-related subsystems are likely to be 
unidirectional -associated in the sense that a failure in the 
"driven" subsystem usually will not reflect on the "driving" 
subsystem. 


Finally, we discuss representational issues of the flow- 
causality model by an example of cooling mechanism, commonly 
used in the central air-conditioning system, as shown in figure 
3.5(a). As shown in figure 3*5(b), the cooling mechanism is 
functionally decomposed into three flow-subsystems; the 
electrical-subsystem, the water-circulation subsystem, and the 
hsat-removing subsystem, with electricity, water, and heat as 


flow-media respectively. 


Oh I oot< 




Figure 3*5 A Cooling-Mechanism Example for the Flow-Causality Model 
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The causalities among these three subsystems are described 
as following: 

(drive 'ELECTRICAL-SUBSYSTEM 'WATER-CIRCULATION-SUBSYSTEM) 

(drive 'WATER-CIRCULATION-SUBSYSTEM 'HEAT-REMOVING -SUBSYSTEM) 

B’or each flow-subsystem, we further establish the associa- 
tion between each function roles and physical components by 
which the function is actually implemented. As shown in figure 
3.6, the abstract functional role "reservoir" is implemented as 
the "WATER-TANK", the "booster" as "WATER-PUMP", etc. The 
"delivery-path" is implemented by a group of components which 
structurally are in series. A frame-like representation is 
adopted to describe the subsystem model: 


subsystem-name : 'WATER-CIRCULATION 

abstract-functional -template : ' HYDRO-FLCW-CIRCULATION 

medium; 'WATER /• a-kind-of non-compressible fluid */ 

functional -roles: /• mapping to the structural components •/ 

reservoir: 'WATER-TANK 
supply-path: 'LO 
booster; 'WATER- PUMP 
delivery-path: 

(in-series LI FILTER L2 HEAT-EXCHANGER L3 RADIATOR L^) 
drain: 'WATER- TANK 


Notice that the specification in the "abstract-functional- 
template" slot serves as a linkage to a body of knowledge about 



Figure 3.6 Functional -Structural Association in a Water-Circulation Subsystem- 
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a general non-compressible hydro-flow circulation subiystem 

* 

which this particular WATER-CIRCULATION-SUBSYSTEM is an instance 
of. To be included in this knowledge chunk is a piece of 
knowledge to map observed symptoms into a set of failure 

hypotheses^. 

In a mechanism with built-in redundancies at the subsystem 
level, these special relationships will be explicitly 
represented in their causal descriptions. For example, in a 
modern DC-1 0-like [4] airplane, the fuel subsystem, the electri- 
cal subsystem, and the hydraulic subsystem are all designed with 
heavy redundancies, as shown in figure 3*7* As a typical case, 
the casual relationships between the power-plants (engines) and 
the electrical subsys^'em will be described as: 

( drive 
(or 

' POWER-PLANT- 1 
'POWER-PLANT-2 
’POWER-PLANT-3 

) 

' ELECTRICAL -SUBSYSTEM 

) 


5 

One simple approach is to attach a pre-coded procedural knowledge 
to the frame of abstract flow-subsystem so that it can be inherited by 
all flow-subsystems of the same type. Our emphasis is on the organiza- 
tion of the flow-subsystem knowledge. The failure-postulation pro- 
cedure, because of its engineering nature, is not discussed in this 
thesis. An illustration of its applications will be discussed later in 
an example. 



Figure 3.7 An Explicit Causal Representation for a Redundant Mechanism 
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-Eallure HvpQfchesizatlon jaiUl J^hS. £to-.Cauga,U.tY .ModfiX. 

The task of failure hypotheslzation is achieved in two 
steps: subsystem isolation and failure postulation. In this 
section^ we illustrate the process of failure hypothesization by 
the example of water-cooling mechanism, shown in figure 3.5. 

First, we deal with the problem of isolating the faulty 
siubsystem. The subsystem-level of a flow-causality model pro- 
vides a description of causal relationships among subsystems 
analogous to that of the ideal PL-modeled mechanism. As a pre- 
condition to applying the four isolation principles developed 
for the ideal mechanism, we need to define a predicate by which 
the operational status of each subsystem can be determined from 
its related sensors, which happen to be available. Knowing that 
sensors are installed in an operational mechanism to monitor 
flow-related variables, thus, by the flow-causality model, 
available sensors are divided into groups according to associa- 
tions of their corresponding variables. The operational status 
of each subsystem module is defined as follows; (1) the status 
is said to be normal if all available sensors in a flow subsys- 
tem have normal readings, (2) the status is said to be abnormal 
if any sensor in the subsystem shows deviation from its normal 
value, and (3) the status is unknown if no sensor-reading is 
available. With the definition of the subsystem status, the 
four isolation heuristics can be applied to isolate the faulty 
subsystem. In the example of a cooling mechanism, given that P2 
and T3 readings are deviated from their normal range but VI is 
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normal, we heuriatioally isolate the failure to the water- 
ciroulation subsystem by applying the causal ^baoktracing and the 
fault-identification principles. 

Second, with the focus shifted to a particular flow- 
subsystem, a set of failure hypotheses is postulated with the 
application of the procedural knowledge inherited from the 
abstract flow-subsystem to which, this flow-subsystem is an 
instance cf. The failure-postulating procedure only concerns 
itself about interpreting variables which are related to this 
flow-subsystem. Continuing the cooling mechanism example in fig- 
ure from the sensor-observation that PI is normal, it 

exonerates three functional roles; the booster, the supply-path, 
and the reservoir, from being considered as possible culprits. 
Thus, the failure, if it indeed occurs within this flow- 
subsystem, must come from the delivery -path or the drain (which 
is excluded in this case since it is the open space in the 
WATER-TANK) . Interpreting a low flow-rate (Ff) detected in a 
serial path (L1 -> FILTER -> L2 -> HEAT-EXCHANGER -> L3 -> RADI- 
ATOR -> L^), following two rules can be applied; 

(1) Upstream-leakage — any component upstream to the point of 
detection can be leaking to cause the low flowrate measure- 
ment. 

(2) Path-cloggage — any component in the flow path can be 
clogged to cause the detected low flowrate. 

As the result of applying these flow-tracing rules, the 
following possible failures are postulated; LI leakage, LI 
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ologgage, FILTER ologgage, L2 ologgage, HEAT-EXCHANGER ologgage, 
L3 ologgage, RADIATOR ologgage, L4 ologgage. To re-eoiphaslze 
the signlfioanoe of oup hypothesizatlon-and-verlfioation 
apppoaoh, we siposs that the ’*L1 leakage’’ Is an outstanding oase 
duping the veplfloatlon phase due to its unique time-elapsed 
effeots. Among the above fallupe hypotheses, the ppediotive 
analysis ppooess will oonolude that only the ”L1 leakage” assep- 
tion will be expeotlng furthep symptom-event: the dpopping of PI 
to zepo aftep some time delay because the watep-tank will even- 
tually become empty. If this symptom indeed is obsepved ovep the 
PI sensop some time latep, the diagnosis ppocess can conclude 
that the ”L1 leakage” is the culppit. 


C onclusion 


As the conclusion of our study, we ppopose a futupe computep- 
based intelligent diagnosis system be opganized as shown in figupe 
3.8. The time-continuous sensopy data is fipst abstpacted into a 
sequence of qualitative symptom events, which will be compaped with 
the ppedicted failure behavior from the intelligent diagnosis pro- 
gram. Those accepted failure hypotheses, together with their jus- 
tifications, will be (1) presented through some means of man-machine 
interfaces (e.g. , graphical or text display, voice synthesizer, 
etc.) in a form which can be readily understood by people so as lio 

help them in their decision-making^, (2) presented through a shared 


We call this feature the Iptelligent interface since it presents 
the diagnostic result with concise justification, rather than just 
presenting the raw data. 
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Figure 3»8 System Organization of a Future Intelligent Diagnosis System 
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data base in its entirety to other intelligent programs so as to 
allow other intelligent activities (e.g., recovery-planning) to 
proceed. 
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